Make WordPress Core

Opened 19 months ago

Last modified 3 months ago

#21938 new enhancement

Add "no-store" to Cache-Control header to prevent history caching of admin resources

Reported by: soulseekah Owned by:
Milestone: Awaiting Review Priority: normal
Severity: trivial Version: 3.4
Component: Administration Keywords: has-patch
Focuses: Cc:


The current implementation of wp_get_nocache_headers does not take into account history caching, which results in a browser serving a cached copy of pages from history (by pressing the Back button) even if the user has long logged out.

RFC 2616 14.9.2 no-store describes this cache directive.

To repoduce: login to dashboard, logout, press the back button.
Expected: the login screen.
Reality: a copy of the previous page.

By adding the "no-store" directive to all non-cachable resources the behavior was mitigated successfully in Chrome 21, Firefox 15. Fails on Opera 12 (they chose to disregard "no-store" when applied to history, RFC allows this).

Attachments (1)

21938.patch (509 bytes) - added by soulseekah 19 months ago.
"no-store" please

Download all attachments as: .zip

Change History (8)

soulseekah19 months ago

"no-store" please

comment:1 kovshenin19 months ago

  • Cc kovshenin added

comment:2 ocean9019 months ago

  • Cc ocean90 added

comment:3 follow-up: toscho19 months ago

  • Cc info@… added
Version 0, edited 19 months ago by toscho (next)

comment:4 in reply to: ↑ 3 soulseekah19 months ago

Replying to toscho:

That needs good tests. For example the behavior after POST requests can be quite annoying. Performance might be an issue too.

Agreed, under certain circumstances this could be a nuisance, especially if users are logged in and the admin bar is shown. As for performance, it seems that all of twitter is served with "no-store" and it does appear (to me) to be quite jagged navigation-wise.

Without a proper step-by-step testing plan in mind, I guess I'll use the patch in production for a bit to see if it causes any unexpected issues in general.

comment:5 nacin19 months ago

The other issue is sometimes you want the back button to be where you were last, without a complete reload. How many times have you lost a comment or some other content by clicking away (in WP or not) and scrambled to recover it?

comment:6 SergeyBiryukov19 months ago

  • Version changed from trunk to 3.4
Note: See TracTickets for help on using tickets.